summaryrefslogtreecommitdiff
path: root/app/controllers
AgeCommit message (Collapse)Author
6 daysFix malformed-HTML fallout across RSS, link rewriting, and flash messagingerdgeist
Editors' TinyMCE output can contain unclosed void elements like <br>, which is valid HTML5 but invalid XML -- three different places assumed the stricter rule and broke or silently misbehaved on the looser one. The Atom feed's <content type="xhtml"> block required real, well-formed XML structure but was handed a raw, unescaped body string; switched to type="html" with CGI.escapeHTML, matching how title/summary already handle the same content. rewrite_links_in_body used libxml's strict XML parser to rewrite internal links to be locale-prefixed, which raised on exactly this class of malformed markup -- silently, since the whole method was wrapped in rescue; nil, meaning the link rewrite (not the save) quietly failed with no error anywhere. Replaced with Nokogiri's lenient HTML parser, which repairs malformed void elements rather than rejecting them; also drops the bare rescue now that the actual failure mode it was guarding against shouldn't occur, and fixes two adjacent bugs found while in this method: a typo'd /sytem/uploads/ regex that could never match, and a missing https:// exclusion alongside the existing http:// one. Also addresses stale flash messaging surfaced while testing the above: update's save confirmation was being clobbered by edit's own "locked and ready" notice on the very next request, since nothing distinguished a fresh lock acquisition from a redirect back after saving. The save confirmation now names the next step (publish from Status) and flags a stale translation if one exists, using Page#outdated_translations?, already present but previously unused by any controller.
6 daysMajor resource view cleanuperdgeist
Remove dead pages#index and occurrences resource; fix menu_items#new menu_items#new called menu_item_params, which requires a submitted menu_item key that can never be present on a fresh GET -- new only ever needs a blank record to render against. pages#index and the entire occurrences resource were unmodified Rails scaffold generator output, unlinked from any nav and unreachable except by direct URL. pages#index had no controller action at all (@pages was never assigned); occurrences#index queried every row with no scoping or pagination and its layout referenced a scaffold.css asset that no longer exists in the pipeline. Neither is a real editorial surface -- occurrences are auto-generated from an event's RRULE and were never meant to be browsed as a flat list. Removed rather than repaired. pages#preview and pages#sort_images remain, now as explicit routes rather than under a full resources :pages block.
7 daysAdd the Status section to nodes#show and rebuild nodes#edit's action barerdgeist
Retires content_for :subnavigation on nodes#show entirely -- Preview was fully redundant with Links' own preview URLs in every state, and Edit is now a permanent, always-rendered action inside the new Status section rather than a link floating at the top, consistent with the "action lives next to the info" pattern People already established for Unlock. Status surfaces head/draft/autosave plainly and gates Edit/Publish/Destroy/Discard on lock ownership specifically, not mere lock presence -- @node.locked? alone would have blocked the lock owner's own session, caught by the click-test and fixed here rather than shipped. nodes#edit's action bar is rebuilt to sit outside form_for (both button_to calls render their own nested form, invalid HTML the browser was silently stripping) with Save wired back in via form="..." rather than needing to live inside the form tag at all. Also brings the locked-and-ready-to-edit flash message, and the visual polish from this session's click-test: consistent button heights across the bordered and pill-shaped variants sharing a row, spacing between Status's data and its actions, and error_messages styling reusing the destructive-red vocabulary already established elsewhere.
7 daysFix revert being unusable from an unlocked nodes#showerdgeist
revert! requires the lock to already be held, correct for nodes#edit where the editor holds it throughout -- but both exclusive-case buttons on nodes#show fire from a node that starts out unlocked, which raised LockedByAnotherUser incorrectly. lock_for_editing! first makes both call sites safe: a harmless re-stamp when already the owner, a real but momentary acquisition otherwise, released again by revert! itself once nothing is left to protect.
7 daysFix blank-title validation and its lost form state on re-rendererdgeist
A blank title failed presence and length validation simultaneously, showing two redundant messages for one problem; length now skips whenever slug is already blank, matching presence's own skip condition. Separately, create's failure path never computed @selected_kind/@parent_id/@parent_name the way new does, so re-rendering after a validation error silently lost which kind and parent had been chosen -- for the auto-tagging/auto-templating kinds, that meant a corrected resubmission could silently produce a plain generic node instead. required on the title field closes the common case without a round trip; the server-side fix remains the actual guarantee, since required is trivially bypassed.
7 daysAdd revert!/discard and rebuild nodes#edit around the new hierarchyerdgeist
revert! discards exactly the topmost non-empty layer -- autosave if present, else draft -- and reveals whatever's beneath it, releasing the lock only once nothing is left to protect. Guards against destroying a brand-new, never-published node's only draft, which would violate the (head | draft) invariant every other method here assumes holds; the view's Destroy/Discard button is gated the same way. nodes#edit now calls lock_for_editing! instead of find_or_create_draft, and always displays autosave || draft || head, resurrecting an abandoned session's unsaved content by default with an explicit flash explaining what's shown and how to get back to the last saved version. The view drops content_for :subnavigation entirely: Show becomes "Unlock + Back", Preview stays a plain link, metadata's own <details> already replaced the old toggle, and Publish moves off this page for good, per the earlier decision to manage the publish lifecycle entirely from nodes#show. Save Draft and Save + Unlock + Exit appear both above and below the form, given the body field alone runs 600px on desktop.
7 daysFix tests for the new autosave routingerdgeist
Route Save and autosave through the new Node methods update now promotes the current autosave into the draft via save_draft! rather than writing submitted params directly; autosave gets its own PUT member route so PATCH update can mean "deliberate save" specifically, matching every other custom action on this resource. Both now require the lock to already be held rather than acquiring it themselves, which is a deliberate narrowing: through the real UI this is always true, since neither can fire before edit has loaded. Two existing tests called update directly with no prior edit, which the old code tolerated by acquiring the lock as a side effect; updated to call edit first instead of loosening the guarantee back open. NodesController#edit itself is unchanged and still calls the old find_or_create_draft, so drafts are still created eagerly on entering edit for now -- switching that over is the next step, not this one.
9 daysAdd context-aware child-creation shortcuts to nodes#showerdgeist
parent_match Procs on CccConventions::NODE_KINDS, matched against unique_path, decide which "add child" kinds show on a given node. Fixes nodes#new not honoring a pre-selected kind (radio group and parent-field visibility both defaulted to "generic" unconditionally).
9 daysReplace awesome_nested_set with a plain parent_id-based NestedTree concernerdgeist
Root-caused this session: appending a child to any node never widened that parent's own rgt boundary, on the pinned revision (Gemfile tracked main directly, chasing a too-conservative gemspec constraint - not, as first assumed, a deliberate pin to avoid a known bug). Reproduced cleanly on a single ordinary create with no concurrency and no bulk operation involved, confirmed via the gem's own SetValidator, then confirmed as the root cause of nodes_controller_test.rb's 3 long-standing "pre-existing" failures - not three separate mysteries, one bug. admin_controller's sitemap needed its own real conversion, not just a drop-in: awesome_nested_set's lft column implicitly provided correct depth-first tree order for free, which the old code combined with a separate class-level each_with_level iterator. Both replaced by one method, self_and_descendants_ordered_with_level, computing an ordered [node, level] list in a single query-then-walk pass - checked against the actual view template first (admin/index.html.erb) rather than assumed, since it relies on list order alone to render correct visual nesting. lft/rgt/depth columns intentionally left in schema, unused - dropping them is a separate, deliberately deferred migration once this is proven running for a while, not bundled with the behavior change.
9 daysFix shared preview links breaking after a second publisherdgeist
A token's page could stop being node.head_id (superseded by a newer draft) while still being published_at.present? - the old check only compared against the current head, so a superseded page fell through to direct rendering instead of redirecting, serving a stale frozen snapshot indefinitely instead of the current live content. Also handles scheduled publishing correctly: a page can be head_id but not yet public? (published_at in the future) - that case must still render directly, not redirect into a 404 on the not-yet-live public URL.
9 daysAdd public preview links for draftserdgeist
Lets editors share a draft with people outside the admin system, via a random per-page token rather than an enumerable id - /preview/<token>. shared_previews#show is intentionally unauthenticated. Redirects to the real public URL once the page is published. Surfaced on nodes#show (Admin Preview + Public Preview, next to Public Link) as generate/revoke buttons.
10 daysWhitespace fixeserdgeist
10 daysAdd erfa/chaostreff node-kind creation conventionserdgeist
lib/ccc_conventions.rb: NODE_KINDS registry replaces the kind-specific branches previously scattered across nodes_controller#create (tags), unique_path-position check). Each kind declares its parent lookup (a Proc - Update's "update"/"press_release" continue to genuinely find-or-create their year-folder via Update.find_or_create_parent; erfa/chaostreff use a plain find_by_unique_name!, since their parent nodes are fixed and a missing one should fail loudly, not be silently created), its tags, and (new) its default template. Node gains a default_template_name column (migration, with backfill for existing update-tree nodes via node.update? - reusing that method rather than re-deriving its unique_path check in raw SQL). Page#set_template now inherits from node.default_template_name, falling back to the old update?-based check only when the column is blank, and only fills in template_name when nothing's already been explicitly chosen - a deliberate change from the previous behavior, which unconditionally overwrote template_name on every save regardless of manual selection. Node#update? itself is unchanged and still used as-is by admin_controller's sitemap filtering - a genuinely different, still valid use of that check. "generic" stays special-cased in the controller, parametrized by params[:parent_id] at request time - doesn't fit "kind implies a fixed lookup" and isn't in the registry. nodes#new's four hardcoded radio buttons and nodes_controller's kind-specific case/when branches are both replaced by iterating/looking up this one registry - adding a new kind now means one new hash entry, not four scattered edits.
10 daysFix admin search results colliding with other search widgetserdgeist
layouts/admin.html.erb's top-bar search results div shared id "search_results" with nodes#new/nodes#edit's parent-search widget - since the layout renders on every admin page, whichever widget's JS ran last silently won the shared ID, putting top-bar results into the parent-search box on affected pages. Renamed to "menu_search_results" and updated admin_search.js to match. Also modernizes admin_search.js's event bindings from keyup/keydown/ keypress/paste/cut + .attr("value") to input + .val() throughout (menu_items, parent_search, move_to_search) - the multi-event binding was working around old IE compatibility that .val() + "input" already handles correctly. parent_search's result rendering now matches menu_search's convention (real <p>/<a> markup with a .result_path span) instead of a bare <a> in a throwaway wrapper div, so the same CSS rule now correctly applies to both. menu_search's JSON response gains node_path per result, matching what admin_search's own results already provide - not yet consumed by parent_search/move_to_search, which still render click-to-select links rather than navigable ones (correct for their purpose - selecting a value, not leaving the page). Known remaining gap, not fixed here: menu_items, parent_search, and move_to_search still all target the literal id "search_results" between themselves. No live collision today since none of the three currently share a page, but it's the same fragility as the bug above - tracked alongside the existing menu_items/parent_search/move_to_search consolidation backlog item rather than treated as resolved.
12 daysFix safe_return_to being uncallable from controllerserdgeist
Defined only in ApplicationHelper, which Rails auto-mixes into views but not controllers - so events#create and events#update, which call it directly, have been broken since introduction. Likely unexercised until now because every existing event was created via node.events.create! in the seed script, never through a real POST. Moved to ApplicationController as a protected method + helper_method declaration, so both controllers and views can call it (form_error_ messages stays in ApplicationHelper - it's genuinely view-only, content_tag isn't available in a controller either). Logic unchanged, caught by the new EventsController tests in the previous commit.
12 daysAdd self-service event creation from nodes#showerdgeist
nodes#show's events table now renders unconditionally (previously hidden entirely for a zero-event node) and gains an "add event" link. The suggested tag_list is derived from the page's own category tags via NodesHelper::DEFAULT_EVENT_TAG_BY_PAGE_TAG (erfa-detail/ chaostreff-detail -> open-day) rather than hardcoded, and degrades to a blank field for any node whose tags don't match - deliberately universal, not chapter-specific, since Updates have historically carried event dates the same way. events#new surfaces *why* the tag was pre-filled via flash.now (not flash - this is a same-request render, not a redirect), using an explicit auto_tag_source param passed alongside tag_list rather than having the controller re-derive the reason from node_id. No destroy link added to nodes#show's events list - deliberate, per existing subnav-semantics convention (destructive actions live on the resource's own views). Covered directly by test. Adds real coverage for EventsController, previously 100% commented-out scaffold, plus unit tests for the new tag-mapping helper and the weekday-abbreviation helpers from the prior commit.
14 daysClean up events views: return_to, subnav, remove custom_rruleerdgeist
- events_controller: wire return_to through show and new actions; create respects return_to with fallback to node/event path; new pre-populates node_id and tag_list from params - events/edit: remove custom_rrule checkbox; node link removed from subnav (use show for node navigation); destroy button added - events/new: remove custom_rrule checkbox; add return_to hidden field and back link; tag_list field added - events/show: fix back link via safe_return_to; add node link to subnav; add destroy button; remove custom_rrule display; show humanized rrule below raw string - events/index: destructive class on destroy button; node_id column replaced with node link; show/edit links carry return_to - nodes/show: add show/edit links to event entries with return_to
2026-06-30Fix events CRUD for standalone events and add events to admin menuerdgeist
- event_params now permits title, description, is_primary - event_information helper lists all node.events, not just the first - Occurrence.generate handles nil node (standalone events) - Page.aggregate order_by title uses correlated subquery to avoid GROUP BY conflict with tag-filter path; order_direction whitelisted to ASC/DESC to prevent SQL injection - Events link added to admin menu bar - events/index shows title, is_primary; drops latitude/longitude columns
2026-06-30Permit :admin in params only for adminserdgeist
2026-06-30Remove recent_changes RSS feed. It leaks unpublished drafts and the basic auth was only symbolicerdgeist
2026-06-30Prevent xss by not allowing return_to to point to javascript resourceserdgeist
2026-06-30Improve admin search overlay layout and behaviourerdgeist
- Widen overlay (300px -> min(520px, 90vw)), centre instead of hardcoded left:400px, so it scales from mobile to desktop - Split title and unique_name into separate JSON fields and DOM elements; two-line result layout (bold title, small grey monospace path) instead of "Title (path)" wrapping awkwardly - Add small margin between title and path line - Fix event handler stacking: keyup/escape/outside-click handlers were being rebound on every display_toggle call. Moved all bindings to initialize(), display_toggle() now only shows/hides - Switch search input from keyup to input event, catching paste and cut via mouse which keyup misses - Add Escape key and outside-click to dismiss the overlay - Stop clearing search box and results on close; reopening now preserves prior search, matching standard search UI behaviour - Link search results to node_path instead of edit_node_path, since opening edit auto-locks the node - Add "press Enter to see all results" hint in dropdown - Disable browser autocomplete on search input
2026-06-29Restore and improve admin node searcherdgeist
- Admin search broke when routing-filter was removed: hardcoded /admin/search and /admin/menu_search URLs in admin_search.js no longer matched the locale-scoped routes. Fix by emitting locale-aware URLs from the layout as JS variables. - Also fixes form submission (POST -> GET, missing = on form_tag), jQuery .attr("value") -> .val() for typeahead input reading, and template name for Rails 8 compatibility. - Adds a visible "search" link to the admin menu so editors can discover the feature without knowing the Alt+F shortcut. Search results now show node path alongside title and link directly to the edit view. Named route admin_menu_search added to routes.rb.
2026-06-27rss: add per-tag Atom feed at /rss/tags/:tag/updates.xmlerdgeist
- rss#tag_updates action: filters Page.heads by tag name, default locale, 20 items, same caching as updates feed - tag_updates.xml.builder: Atom feed with CGI.escapeHTML on title and summary, consistent with updates.xml.builder - tags/show.html.erb: add subscription link above article list - routes: two routes per existing pattern (format-less + .:format constrained to /xml/)
2026-06-27Stage 7 click-testing fixes (2)erdgeist
- nodes_controller: permit staged_slug and staged_parent_id in node params; these were silently dropped since strong parameters migration, breaking the two-phase slug/parent change workflow - file_attachment: add SVG support; vector files are copied to all style directories without rasterisation, preserving scalability in the browser - assets index/show: constrain image display with max-width/max-height via admin.css td img rule; fixes oversized SVG thumbnails while leaving raster variants unaffected
2026-06-27Stage 7: Rails 7.2 → 8.1 on Ruby 3.2.11erdgeist
- Bump Rails to 8.1.3 (Ruby unchanged at 3.2.11, new gemset rails8-upgrade) - config.load_defaults 8.1; merge app:update diffs for all environment files - Remove routing-filter 0.7.0; replace with native scope '(:locale)' in routes.rb and default_url_options in ApplicationController - Delete config/initializers/routing_filter_rails71_patch.rb - Replace vendored TinyMCE 3.x (~200 files) with tinymce-rails ~> 8.3; migrate admin_interface.js from jQuery .tinymce()/advanced theme to tinymce.init(); add config/tinymce.yml; note: TinyMCE 7+ is GPL - rails-i18n ~> 8.0 added explicitly (previously indirect dependency) - awesome_nested_set, acts-as-taggable-on pinned to git main/master (gemspec activerecord < 8.1 ceiling; no functional incompatibility; repin to version once upstream releases updated gemspecs) - globalize ~> 7.0, libxml-ruby ~> 5.0, nokogiri ~> 1.18, pg ~> 1.5 - sass-rails, coffee-rails, uglifier moved from :assets group to main (Sprockets 4 convention; :assets group no longer meaningful) - Node: head, draft, lock_owner marked belongs_to optional: true - Page: node, user, editor marked belongs_to optional: true - Static assets in public/images/ and public/javascripts/ referenced via plain HTML tags; Rails 8 load_defaults raises on pipeline helpers for undeclared assets - sessions_controller_test.rb: remove stale require and dead rescue_action - users_controller_test.rb: assert button[type=submit] not input[type=submit] (Rails 8 button_to renders <button> not <input>) - test_helper.rb: node.reload after children.create! (awesome_nested_set 3.9.0 does not refresh parent in memory after callback) - 129 runs, 339 assertions, 3 failures, 0 errors — identical baseline to 7.2
2026-06-26Fix RSS feeds, xmlparser initializererdgeist
2026-06-26Stage 4: Rails 5.2 -> 6.1 on Ruby 2.7.2erdgeist
- routing-filter 0.6.3 -> 0.7.0 (Rails 6.1 compatibility) - RSS named routes rss_xml/rss_rdf added - RouteWithParams workarounds: will_paginate_patch, content_path shim, safe_path helper - Paperclip removed, replaced with FileAttachment concern (preserves URL scheme) - Assets resource moved to /admin/assets (Sprockets middleware conflict) - ApplicationRecord base class added, all models migrated - Strong parameters added to Assets, Occurrences, Events, MenuItems controllers - update_attributes -> update throughout - render :nothing -> head :ok/:not_found throughout - language_selector rewritten (removes :overwrite_params) - Environment files updated for Rails 6.1 (eager_load, public_file_server, ActionMailer) - Arel::Visitors::DepthFirst and Integer/Float duration patches removed from test_helper - AssetsController tests added (10 tests covering upload, variants, destroy, auth) - ImageMagick geometry: 460x250! for headline crop (not # which is invalid in IM6) 129 runs, 311 assertions, 5 failures (all pre-existing), 0 errors
2026-06-25Rails 5.2 application fixeserdgeist
- Rename before_filter → before_action across all controllers - Fix string conditions in validators to lambda syntax (node.rb) - Fix publish_draft!: move staged slug/parent logic outside draft guard, use move_to_child_of for parent changes, add nil guard for no-op calls - Fix update_unique_names_of_children: use parent_id traversal instead of lft/rgt descendants (awesome_nested_set 3.x lft/rgt update bug) - Fix unique_path to return Array instead of String - Fix Occurrence.delete_all syntax for Rails 5 - Fix Page.find_with_outdated_translations: use includes instead of all - Fix outdated_translations?: use find instead of splat array
2026-06-25Rails 4.2 model and controller fixeserdgeist
- Wrap all scopes in lambdas (required in Rails 4) - Move scopes after associations in page.rb (evaluated at load time in Rails 4) - Convert association :order options to lambda syntax - Remove attr_accessible from page.rb and user.rb - Add Strong Parameters: user_params in UsersController, node_params/page_params in NodesController - Fix clone_attributes_from: exclude id/page_id/timestamps when cloning translations - Fix redirect_to :back → request.referer fallback in nodes_controller - Fix node_path/publish and unlock actions: pass @node argument
2026-06-24Fix tagged content aggregator, assets path, and add regression testserdgeist
- Replace tagged_with calls in Page.aggregate, TagsController, RssController with direct SQL joins (acts-as-taggable-on 3.5 broken on Rails 3.2) - Fix Paperclip :path/:url to use plain :id format matching existing uploads - Add proper regression tests for aggregator, tags, and rss controllers - Fix assert_select assertions to target div.body div.article_partial
2026-06-24Stage 1 complete: Rails 2.3.5 to Rails 3.2.22.5 upgradeerdgeist
- Converted plugins to gems (Gemfile) - Updated config structure (application.rb, boot.rb, environment.rb) - Converted routes to Rails 3 DSL - Converted named_scope to scope throughout models - Converted find(:all, :conditions) to where() chains - Fixed has_many :order to use ordering scope - Updated session store and secret token configuration - Fixed exception_notification middleware configuration - Patched Ruby 2.4 / Rails 3.2 incompatibilities: - Integer/Float duration arithmetic (ActiveSupport) - Arel visit_Integer for PostgreSQL adapter - create_database String/Integer coercion - ActionController consider_all_requests_local - Migrated taggings schema for acts-as-taggable-on - Replaced dynamic_form gem with custom form_error_messages helper - Fixed Rails 3 block helper syntax (form_for, form_tag, fields_for) - Fixed admin layout yield - Updated test suite for Rails 3 APIs
2026-06-23Update deployed state to what's currently runningerdgeist
2025-02-06Improve worklflowerdgeist
2025-02-05Enhance admin view by sitemaperdgeist
2025-01-28Big overhaul patch and style changesCharlie Root
2012-01-04sanitized this motherfuckin search stringUser
2011-01-08Exclude root node from admin overview.Jens Ohlig
2010-07-20adding sponsors footerhukl
2010-05-09added index action for tags, primarily removing the associated exceptionhukl
2010-05-09return 404 for non existent gallerieshukl
2010-05-09only respond to html requests herehukl
2010-05-09filter out invalid locales right awayhukl
2010-05-09fix for non existing tagshukl
2010-01-31sanitize weird localeshukl
2009-12-01dramatically reduced instanciated AR objects for tagshukl
2009-12-01reduced instanciated AR objects for searchhukl
2009-11-20Its the final fix for the RSS Feed issues. Apparently people were subscribing the feed with weird locales set. Therfore the locale in the feed links and ids ↵hukl
contained the weird locales - got chached and messed up everything for the rest of the world.
2009-11-18added template for old RDF feed - needs to be validated thoughhukl
2009-11-03rss updates expire in 31 minuteshukl